Libgcrypt: Side-channel attack

2020-03-15T00:00:00
ID GLSA-202003-32
Type gentoo
Reporter Gentoo Foundation
Modified 2020-03-15T00:00:00

Description

Background

Libgcrypt is a general purpose cryptographic library derived out of GnuPG.

Description

A timing attack was found in the way ECCDSA was implemented in Libgcrypt.

Impact

A local man-in-the-middle attacker, during signature generation, could possibly recover the private key.

Workaround

There is no known workaround at this time.

Resolution

All Libgcrypt users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-libs/libgcrypt-1.8.5"